Merge pull request #111 from jmara/feature/sftp

Feature/sftp

Author: Patrick Münch

README.md

@@ -39,11 +39,14 @@ This cookbook provides secure ssh-client and ssh-server configurations.
 * `['ssh']['use_pam']` - `false` to disable pam authentication
 * `['ssh']['print_motd']` - `false` to disable printing of the MOTD
 * `['ssh']['print_last_log']` - `false` to disable display of last login information
-* `default['ssh']['deny_users']` - `[]` to configure `DenyUsers`, if specified login is disallowed for user names that match one of the patterns.
-* `default['ssh']['allow_users']` - `[]` to configure `AllowUsers`, if specified, login is allowed only for user names that match one of the patterns.
-* `default['ssh']['deny_groups']` - `[]` to configure `DenyGroups`, if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
-* `default['ssh']['allow_groups']` - `[]` to configure `AllowGroups`, if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
-* `default['ssh']['use_dns']` - `nil` to configure if sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.
+* `['ssh']['deny_users']` - `[]` to configure `DenyUsers`, if specified login is disallowed for user names that match one of the patterns.
+* `['ssh']['allow_users']` - `[]` to configure `AllowUsers`, if specified, login is allowed only for user names that match one of the patterns.
+* `['ssh']['deny_groups']` - `[]` to configure `DenyGroups`, if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
+* `['ssh']['allow_groups']` - `[]` to configure `AllowGroups`, if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
+* `['ssh']['use_dns']` - `nil` to configure if sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.
+* `['ssh']['sftp']['enable']` - `false` to disable the SFTP feature of OpenSSHd. Set to `true` to enable SFTP.
+* `['ssh']['sftp']['group']` - `sftponly` to configure the `Match Group` option of SFTP to allow SFTP only for dedicated users
+* `['ssh']['sftp']['chroot']` - `/home/%u` to configure the directory where the SFTP user should be chrooted
 
 ## Data Bags
 
@@ -97,6 +100,26 @@ Configure attributes:
 
 **The default value for `listen_to` is `0.0.0.0`. It is highly recommended to change the value.**
 
+## SFTP
+
+To enable the SFTP configuration add one of the following recipes to the run_list:
+
+    "recipe[ssh-hardening]"
+    or
+    "recipe[ssh-hardening::server]"
+
+Configure attributes:
+
+    "ssh" : {
+      "sftp" : {
+        "enable" : true,
+        "chroot" : "/home/sftp/%u",
+        "group"  : "sftusers"
+      }
+    }
+
+This will enable the SFTP Server and chroot every user in the `sftpusers` group to the `/home/sftp/%u` directory. 
+
 ## Local Testing
 
 For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started).
@@ -154,6 +177,12 @@ We have seen some issues in applications (based on python and ruby) that are due
 
 If you find this isn't enough, feel free to activate the attributes `cbc_requires` for ciphers, `weak_hmac` for MACs and `weak_kex`for KEX in the namespaces `['ssh']['client']` or `['ssh']['server']` based on where you want to support them.
 
+**Why can't I log to the SFTP server after I added a user to my SFTP group?**
+
+This is a ChrootDirectory ownership problem. sshd will reject SFTP connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd considers insecure. sshd's strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable by the owner. So, for example, if the chroot environment is /home must be owned by root.
+
+See [https://wiki.archlinux.org/index.php/SFTP_chroot](https://wiki.archlinux.org/index.php/SFTP_chroot)
+
 ## Deprecation Notices
 
 * `node['ssh']['cbc_required']` has been deprecated in favour of `node['ssh']['client']['cbc_required']` and `node['ssh']['server']['cbc_required']`.

attributes/default.rb

@@ -76,3 +76,8 @@
 default['ssh']['server']['password_authentication'] = false   # sshd
 # http://undeadly.org/cgi?action=article&sid=20160114142733
 default['ssh']['client']['roaming']        = false
+
+# Define SFTP options
+default['ssh']['sftp']['enable']        = false
+default['ssh']['sftp']['group']         = 'sftponly'
+default['ssh']['sftp']['chroot']        = '/home/%u'

spec/recipes/server_spec.rb

@@ -504,4 +504,53 @@
         with_content(/UseDNS yes/)
     end
   end
+
+  context 'without attribute ["sftp"]["enable"]' do
+    it 'leaves SFTP Subsystem commented' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/^#Subsystem sftp/)
+    end
+  end
+
+  context 'with attribute ["sftp"]["enable"] set to true' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.set['ssh']['sftp']['enable'] = true
+      end.converge(described_recipe)
+    end
+
+    it 'sets SFTP Subsystem correctly' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/^Subsystem sftp/)
+    end
+  end
+
+  context 'with attribute ["sftp"]["enable"] set to true and ["sftp"]["group"] set to "testgroup"' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.set['ssh']['sftp']['enable'] = true
+        node.set['ssh']['sftp']['group'] = 'testgroup'
+      end.converge(described_recipe)
+    end
+
+    it 'sets the SFTP Group correctly' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/^Match Group testgroup$/)
+    end
+  end
+
+  context 'with attribute ["sftp"]["enable"] set to true and ["sftp"]["chroot"] set to "/export/home/%u"' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.set['ssh']['sftp']['enable'] = true
+        node.set['ssh']['sftp']['chroot'] = 'test_home_dir'
+      end.converge(described_recipe)
+    end
+
+    it 'sets the SFTP chroot correctly' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/^ChrootDirectory test_home_dir$/)
+    end
+  end
+
 end

templates/default/opensshd.conf.erb

@@ -189,6 +189,22 @@ UseDNS <%= ((@node['ssh']['use_dns']) ? 'yes' : 'no' ) %>
 #ChrootDirectory none
 #ChrootDirectory /home/%u
 
+<% if @node['ssh']['sftp']['enable'] %>
+# Configuration, in case SFTP is used
+## override default of no subsystems
+## Subsystem sftp /opt/app/openssh5/libexec/sftp-server
+Subsystem sftp internal-sftp -l VERBOSE
+
+## These lines must appear at the *end* of sshd_config
+Match Group <%= @node['ssh']['sftp']['group'] %>
+ForceCommand internal-sftp -l VERBOSE
+ChrootDirectory <%= @node['ssh']['sftp']['chroot'] %>
+AllowTcpForwarding no
+AllowAgentForwarding no
+PasswordAuthentication no
+PermitRootLogin no
+X11Forwarding no
+<% else %>
 # Configuration, in case SFTP is used
 ## override default of no subsystems
 ## Subsystem sftp /opt/app/openssh5/libexec/sftp-server
@@ -203,3 +219,4 @@ UseDNS <%= ((@node['ssh']['use_dns']) ? 'yes' : 'no' ) %>
 #PasswordAuthentication no
 #PermitRootLogin no
 #X11Forwarding no
+<% end %>